-
Catalyst 4500 Series Switch Cisco IOS Command Reference, 12.2(25)SG
-
Quick Links to Catalyst 4500 Series Switch Cisco IOS Commands
-
Index
-
Preface
-
Command-Line Interface
-
aaa accounting dot1x default start-stop group radius through instance
-
interface port-channel through shape
-
show access-group mode interface through show vtp
-
snmp ifindex clear through vtp v2-mode
-
Acronymns
-
Acknowledgements for Open-Source Software
-
Table Of Contents
ip arp inspection limit (interface)
ip arp inspection vlan logging
ip dhcp snooping information option
ip dhcp snooping information option allow-untrusted
ip igmp snooping report-suppression
ip igmp snooping vlan explicit-tracking
ip igmp snooping vlan immediate-leave
ip verify source vlan dhcp-snooping
l2protocol-tunnel drop-threshold
l2protocol-tunnel shutdown-threshold
logging event link-status global (global configuration)
logging event link-status (interface configuration)
logging event trunk-status global (global configuration)
logging event trunk-status (interface configuration)
mac-address-table dynamic group protocols
port-security mac-address sticky
qos (global configuration mode)
qos (interface configuration mode)
qos account layer2 encapsulation
renew ip dhcp snooping database
2.2interface
To select an interface to configure and to enter interface configuration mode, use the interface command.
interface type number
Syntax Description
type
Type of interface to be configured; see Table 2-7 for valid values.
number
Module and port number.
Defaults
No interface types are configured.
Command Modes
Global configuration
Command History
Usage Guidelines
Table 2-7 lists the valid values for type.
Table 2-7 Valid type Values
ethernet
Ethernet IEEE 802.3 interface.
fastethernet
100-Mbps Ethernet interface.
gigabitethernet
Gigabit Ethernet IEEE 802.3z interface.
tengigabitethernet
10-Gigabit Ethernet IEEE 802.3ae interface.
ge-wan
Gigabit Ethernet WAN IEEE 802.3z interface; supported on Catalyst 4500 series switches that are configured with a Supervisor Engine II only.
pos
Packet OC-3 interface on the Packet over SONET Interface Processor; supported on Catalyst 4500 series switches that are configured with a Supervisor Engine II only.
atm
ATM interface; supported on Catalyst 4500 series switches that are configured with a Supervisor Engine II only.
vlan
VLAN interface; see the interface vlan command.
port-channel
Port channel interface; see the interface port-channel command.
null
Null interface; the valid value is 0.
tunnel
Tunnel interface.
Examples
This example shows how to enter the interface configuration mode on the Fast Ethernet interface 2/4:
Switch(config)# interface fastethernet2/4Switch(config)#Related Commands
interface port-channel
To access or create a port-channel interface, use the interface port-channel command.
interface port-channel channel-group
Syntax Description
Defaults
This command has no default settings.
Command Modes
Global configuration
Command History
12.1(8a)EW
Support for this command was introduced on the Catalyst 4500 series switch.
Usage Guidelines
You do not have to create a port-channel interface before assigning a physical interface to a channel group. A port-channel interface is created automatically when the channel group gets its first physical interface, if it is not already created.
You can also create the port channels by entering the interface port-channel command. This will create a Layer 3 port channel. To change the Layer 3 port channel into a Layer 2 port channel, use the switchport command before you assign the physical interfaces to the channel group. A port channel cannot be changed from Layer 3 to Layer 2 or vice versa when it contains member ports.
Only one port channel in a channel group is allowed.
CautionThe Layer 3 port-channel interface is the routed interface. Do not enable Layer 3 addresses on the physical Fast Ethernet interfaces.
If you want to use CDP, you must configure it only on the physical Fast Ethernet interface and not on the port-channel interface.
Examples
This example creates a port-channel interface with a channel-group number of 64:
Switch(config)# interface port-channel 64Switch(config)#Related Commands
channel-group
show etherchannelinterface range
To run a command on multiple ports at the same time, use the interface range command.
interface range {vlan vlan_id - vlan_id} {port-range | macro name}
Syntax Description
Defaults
This command has no default settings.
Command Modes
Global configuration
Interface configuration
Command History
12.1(8a)EW
Support for this command was introduced on the Catalyst 4500 series switch.
12.1(12c)EW
Support for extended VLAN addresses added.
Usage Guidelines
You can use the interface range command on the existing VLAN SVIs only. To display the VLAN SVIs, enter the show running config command. The VLANs that are not displayed cannot be used in the interface range command.
The values that are entered with the interface range command are applied to all the existing VLAN SVIs.
Before you can use a macro, you must define a range using the define interface-range command.
All configuration changes that are made to a port range are saved to NVRAM, but the port ranges that are created with the interface range command do not get saved to NVRAM.
You can enter the port range in two ways:
•
•
You can either specify the ports or the name of a port-range macro. A port range must consist of the same port type, and the ports within a range cannot span the modules.
You can define up to five port ranges on a single command; separate each range with a comma.
When you define a range, you must enter a space between the first port and the hyphen (-):
interface range gigabitethernet 5/1 -20, gigabitethernet4/5 -20.Use these formats when entering the port-range:
•
•
Valid values for interface-type are as follows:
•
•
•
You cannot specify both a macro and an interface range in the same command. After creating a macro, you can enter additional ranges. If you have already entered an interface range, the CLI does not allow you to enter a macro.
You can specify a single interface in the port-range value. This makes the command similar to the interface interface-number command.
Examples
This example shows how to use the interface range command to interface to FE 5/18 - 20:
Switch(config)# interface range fastethernet 5/18 - 20Switch(config-if)#This command shows how to run a port-range macro:
Switch(config)# interface range macro macro1Switch(config-if)#Related Commands
define interface-range
show running config (refer to Cisco IOS documentation)interface vlan
To create or access a Layer 3 switch virtual interface (SVI), use the interface vlan command. To delete an SVI, use the no form of this command.
interface vlan vlan_id
no interface vlan vlan_id
Syntax Description
Defaults
Fast EtherChannel is not specified.
Command Modes
Global configuration
Command History
12.1(8a)EW
Support for this command was introduced on the Catalyst 4500 series switch.
12.1(12c)EW
Support for extended addressing was added.
Usage Guidelines
The SVIs are created the first time that you enter the interface vlan vlan_id command for a particular VLAN. The vlan_id value corresponds to the VLAN tag that is associated with the data frames on an ISL or 802.1Q-encapsulated trunk or the VLAN ID that is configured for an access port. A message is displayed whenever a VLAN interface is newly created, so you can check that you entered the correct VLAN number.
If you delete an SVI by entering the no interface vlan vlan_id command, the associated interface is forced into an administrative down state and marked as deleted. The deleted interface will no longer be visible in a show interface command.
You can reinstate a deleted SVI by entering the interface vlan vlan_id command for the deleted interface. The interface comes back up, but much of the previous configuration will be gone.
Examples
This example shows the output when you enter the interface vlan vlan_id command for a new VLAN number:
Switch(config)# interface vlan 23% Creating new VLAN interface.Switch(config)#ip arp inspection filter vlan
To permit ARPs from hosts that are configured for static IP when DAI is enabled and to define an ARP access list and apply it to a VLAN, use the ip arp inspection filter vlan command. To disable this application, use the no form of this command.
ip arp inspection filter arp-acl-name vlan vlan-range [static]
no ip arp inspection filter arp-acl-name vlan vlan-range [static]
Syntax Description
arp-acl-name
Access control list name.
vlan-range
VLAN number or range; valid values are from 1 to 4094.
static
(Optional) Specifies that the access control list should be applied statically.
Defaults
No defined ARP ACLs are applied to any VLAN.
Command Modes
Configuration
Command History
12.1(19)EW
Support for this command was introduced on the Catalyst 4500 series switch.
Usage Guidelines
When an ARP access control list is applied to a VLAN for dynamic ARP inspection, the ARP packets containing only the IP-to-Ethernet MAC bindings are compared against the ACLs. All other packet types are bridged in the incoming VLAN without validation.
This command specifies that the incoming ARP packets are compared against the ARP access control list, and the packets are permitted only if the access control list permits them.
If the access control lists deny the packets because of explicit denies, the packets are dropped. If the packets are denied because of an implicit deny, they are then matched against the list of DHCP bindings if the ACL is not applied statically.
Examples
This example shows how to apply the ARP ACL "static-hosts" to VLAN 1 for DAI:
Switch# config terminalEnter configuration commands, one per line. End with CNTL/Z.Switch(config)# ip arp inspection filter static-hosts vlan 1Switch(config)# endSwitch#Switch# show ip arp inspection vlan 1Source Mac Validation : EnabledDestination Mac Validation : DisabledIP Address Validation : DisabledVlan Configuration Operation ACL Match Static ACL---- ------------- --------- --------- ----------1 Enabled Active static-hosts NoVlan ACL Logging DHCP Logging---- ----------- ------------1 Acl-Match DenySwitch#Related Commands
arp access-list
show ip arp inspectionip arp inspection limit (interface)
To limit the rate of incoming ARP requests and responses on an interface and prevent DAI from consuming all of the system's resources in the event of a DoS attack, use the ip arp inspection limit command. To release the limit, use the no form of this command.
ip arp inspection limit {rate pps | none} [burst interval seconds]
no ip arp inspection limit
Syntax Description
Defaults
The rate is set to 15 packets per second on the untrusted interfaces, assuming that the network is a switched network with a host connecting to as many as 15 new hosts per second.
The rate is unlimited on all the trusted interfaces.
The burst interval is set to 1 second by default.
Command Modes
Interface
Command History
12.1(19)EW
Support for this command was introduced on the Catalyst 4500 series switch.
12.1(20)EW
Added support for interface monitoring.
Usage Guidelines
The trunk ports should be configured with higher rates to reflect their aggregation. When the rate of the incoming packets exceeds the user-configured rate, the interface is placed into an error-disabled state. The error-disable timeout feature can be used to remove the port from the error-disabled state. The rate applies to both the trusted and nontrusted interfaces. Configure appropriate rates on trunks to handle the packets across multiple DAI-enabled VLANs or use the none keyword to make the rate unlimited.
The rate of the incoming ARP packets onthe channel ports is equal to the sum of the incoming rate of packets from all the channel members. Configure the rate limit for the channel ports only after examining the rate of the incoming ARP packets on the channel members.
After a switch receives more than the configured rate of packets every second consecutively over a period of burst seconds, the interface is placed into an error-disabled state.
Examples
This example shows how to limit the rate of the incoming ARP requests to 25 packets per second:
Switch# config terminalSwitch(config)# interface fa6/3Switch(config-if)# ip arp inspection limit rate 25Switch(config-if)# endSwitch# show ip arp inspection interfaces fastEthernet 6/3Interface Trust State Rate (pps)--------------- ----------- ----------Fa6/3 Trusted 25Switch#This example shows how to limit the rate of the incoming ARP requests to 20 packets per second and to set the interface monitoring interval to 5 consecutive seconds:
Switch# config terminalSwitch(config)# interface fa6/1Switch(config-if)# ip arp inspection limit rate 20 burst interval 5Switch(config-if)# endRelated Commands
ip arp inspection log-buffer
To configure the parameters that are associated with the logging buffer, use the ip arp inspection log-buffer command. To disable the parameters, use the no form of this command.
ip arp inspection log-buffer {entries number | logs number interval seconds}
no ip arp inspection log-buffer {entries | logs}
Syntax Description
Defaults
When dynamic ARP inspection is enabled, denied, or dropped, the ARP packets are logged.
The number of entries is set to 32.
The number of logging entries is limited to 5 per second.
The interval is set to 1.
Command Modes
Configuration
Command History
12.1(19)EW
Support for this command was introduced on the Catalyst 4500 series switch.
Usage Guidelines
The first dropped packet of a given flow is logged immediately. The subsequent packets for the same flow are registered but are not logged immediately. Registering these packets is done in a log buffer that is shared by all the VLANs. Entries from this buffer are logged on a rate-controlled basis.
Examples
This example shows how to configure the logging buffer to hold up to 45 entries:
Switch# config terminalEnter configuration commands, one per line. End with CNTL/Z.Switch(config)# ip arp inspection log-buffer entries 45Switch(config)# endSwitch# show ip arp inspection logTotal Log Buffer Size : 45Syslog rate : 5 entries per 1 seconds.No entries in log buffer.Switch#This example shows how to configure the logging rate to 10 logs per 3 seconds:
Switch(config)# ip arp inspection log-buffer logs 10 interval 3Switch(config)# endSwitch# show ip arp inspection logTotal Log Buffer Size : 45Syslog rate : 10 entries per 3 seconds.No entries in log buffer.Switch#Related Commands
arp access-list
show ip arp inspectionip arp inspection trust
To set a per-port configurable trust state that determines the set of interfaces where incoming ARP packets are inspected, use the ip arp inspection trust command. To make the interfaces untrusted, use the no form of this command.
ip arp inspection trust
no ip arp inspection trust
Syntax Description
This command has no arguments or keywords.
Defaults
None
Command Modes
Interface
Command History
12.1(19)EW
Support for this command was introduced on the Catalyst 4500 series switch.
Examples
This example shows how to configure an interface to be trusted:
Switch# config terminalSwitch(config)# interface fastEthernet 6/3Switch(config-if)# ip arp inspection trustSwitch(config-if)# endTo verify the configuration, use the show form of this command:
Switch# show ip arp inspection interfaces fastEthernet 6/3Interface Trust State Rate (pps)--------------- ----------- ----------Fa6/3 Trusted NoneSwitch#Related Commands
ip arp inspection validate
To perform specific checks for ARP inspection, use the ip arp inspection validate command. To disable checks, use the no form of this command.
ip arp inspection validate [src-mac] [dst-mac] [ip]
no ip arp inspection validate [src-mac] [dst-mac] [ip]
Syntax Description
Defaults
Checks are disabled.
Command Modes
Configuration
Command History
12.1(19)EW
Support for this command was introduced on the Catalyst 4500 series switch.
Usage Guidelines
When enabling the checks, specify at least one of the keywords (src-mac, dst-mac, and ip) on the command line. Each command overrides the configuration of the previous command. If a command enables src and dst mac validations, and a second command enables IP validation only, the src and dst mac validations are disabled as a result of the second command.
The no form of this command disables only the specified checks. If none of the check options are enabled, all the checks are disabled.
Examples
This example show how to enable the source MAC validation:
Switch(config)# ip arp inspection validate src-macSwitch(config)# endSwitch# show ip arp inspection vlan 1Source Mac Validation : EnabledDestination Mac Validation : DisabledIP Address Validation : DisabledVlan Configuration Operation ACL Match Static ACL---- ------------- --------- --------- ----------1 Enabled ActiveVlan ACL Logging DHCP Logging---- ----------- ------------1 Deny DenySwitch#Related Commands
arp access-list
show arp access-listip arp inspection vlan
To enable dynamic ARP inspection (DAI) on a per-VLAN basis, use the ip arp inspection vlan command. To disable DAI, use the no form of this command.
ip arp inspection vlan vlan-range
no ip arp inspection vlan vlan-range
Syntax Description
Defaults
ARP inspection is disabled on all VLANs.
Command Modes
Configuration
Command History
12.1(19)EW
Support for this command was introduced on the Catalyst 4500 series switch.
Usage Guidelines
You must specify on which VLANs to enable DAI. DAI may not function on the configured VLANs if they have not been created or if they are private.
Examples
This example shows how to enable DAI on VLAN 1:
Switch(config)# ip arp inspection vlan 1Switch(config)# endSwitch# show ip arp inspection vlan 1Source Mac Validation : DisabledDestination Mac Validation : DisabledIP Address Validation : DisabledVlan Configuration Operation ACL Match Static ACL---- ------------- --------- --------- ----------1 Enabled ActiveVlan ACL Logging DHCP Logging---- ----------- ------------1 Deny DenySwitch#Related Commands
arp access-list
show ip arp inspectionip arp inspection vlan logging
To control the type of packets that are logged, use the ip arp inspection vlan logging command. To disable this logging control, use the no form of this command.
ip arp inspection vlan vlan-range logging {acl-match {matchlog | none} | dhcp-bindings {permit | all | none}}
no ip arp inspection vlan vlan-range logging {acl-match | dhcp-bindings}
Syntax Description
Defaults
All denied or dropped packets are logged.
Command Modes
Configuration
Command History
12.1(19)EW
Support for this command was introduced on the Catalyst 4500 series switch.
Usage Guidelines
The acl-match and dhcp-bindings keywords merge with each other. When you set an ACL match configuration, the DHCP bindings configuration is not disabled. You can use the no form of this command to reset some of the logging criteria to their defaults. If you do not specify either option, all the logging types are reset to log on when the ARP packets are denied. The two options that are available to you are as follows:
•
•
Examples
This example shows how to configure an ARP inspection on VLAN 1 to add packets to a log on matching against the ACLs with the logging keyword:
Switch# config terminalEnter configuration commands, one per line. End with CNTL/Z.Switch(config)# ip arp inspection vlan 1 logging acl-match matchlogSwitch(config)# endSwitch# show ip arp inspection vlan 1Source Mac Validation : EnabledDestination Mac Validation : DisabledIP Address Validation : DisabledVlan Configuration Operation ACL Match Static ACL---- ------------- --------- --------- ----------1 Enabled ActiveVlan ACL Logging DHCP Logging---- ----------- ------------1 Acl-Match DenySwitch#Related Commands
arp access-list
show ip arp inspectionip cef load-sharing algorithm
To configure the load-sharing hash function so that the source TCP/UDP port, the destination TCP/UDP port, or both ports can be included in the hash in addition to the source and destination IP addresses, use the ip cef load-sharing algorithm command. To revert back to the default, which does not include the ports, use the no form of this command.
ip cef load-sharing algorithm {include-ports {source source | destination dest} | original | tunnel | universal}
no ip cef load-sharing algorithm {include-ports {source source | destination dest} | original | tunnel | universal}
Syntax Description
Defaults
Default load-sharing algorithm is disabled.
Note
Command Modes
Global configuration
Command History
12.1(12c)EW
Support for this command was introduced on the Catalyst 4500 series switch.
Usage Guidelines
The original algorithm, tunnel algorithm, and universal algorithm are routed through the hardware. For software-routed packets, the algorithms are handled by the software. The include-ports option does not apply to the software-switched traffic.
Examples
This example shows how to configure the IP CEF load-sharing algorithm that includes Layer 4 ports:
Switch(config)# ip cef load-sharing algorithm include-portsSwitch(config)#This example shows how to configure the IP CEF load-sharing algorithm that includes Layer 4 tunneling ports:
Switch(config)# ip cef load-sharing algorithm include-ports tunnelSwitch(config)#Related Commands
ip dhcp snooping
To enable DHCP snooping globally, use the ip dhcp snooping command. To disable DHCP snooping, use the no form of this command.
ip dhcp snooping
no ip dhcp snooping
Syntax Description
This command has no arguments or keywords.
Defaults
DHCP snooping is disabled.
Command Modes
Global configuration
Command History
12.1(12c)EW
Support for this command was introduced on the Catalyst 4500 series switch.
Usage Guidelines
You must enable DHCP snooping globally before you can use DHCP snooping on a VLAN.
Examples
This example shows how to enable DHCP snooping:
Switch(config)# ip dhcp snoopingSwitch(config)#This example shows how to disable DHCP snooping:
Switch(config)# no ip dhcp snoopingSwitch(config)#Related Commands
ip dhcp snooping information option
ip dhcp snooping limit rate
ip dhcp snooping trust
ip dhcp snooping vlan
show ip dhcp snooping
show ip dhcp snooping bindingip dhcp snooping binding
To set up and generate a DHCP binding configuration to restore bindings across reboots, use the ip dhcp snooping binding command. To disable the binding configuration, use the no form of this command.
ip dhcp snooping binding mac-address vlan vlan-# ip-address interface interface expiry seconds
no ip dhcp snooping binding mac-address vlan vlan-# ip-address interface interface
Syntax Description
Defaults
This command has no default settings.
Command Modes
Privileged EXEC
Command History
Usage Guidelines
Whenever a binding is added or removed using this command, the binding database is marked as changed and a write is initiated.
Examples
This example shows how to generate a DHCP binding configuration on interface gigabitethernet1/1 in VLAN 1 with an expiration time of 1000 seconds:
Switch# ip dhcp snooping binding 0001.1234.1234 vlan 1 172.20.50.5 interface gi1/1 expiry 1000Switch#Related Commands
ip dhcp snooping
ip dhcp snooping information option
ip dhcp snooping trust
ip dhcp snooping vlan
show ip dhcp snooping
show ip dhcp snooping bindingip dhcp snooping database
To store the bindings that are generated by DHCP snooping, use the ip dhcp snooping database command. To either reset the timeout, reset the write-delay, or delete the agent specified by the URL, use the no form of this command.
ip dhcp snooping database {url | timeout seconds | write-delay seconds}
no ip dhcp snooping database {timeout | write-delay}
Syntax Description
Defaults
The timeout value is set to 300 seconds (5 minutes).
The write-delay value is set to 300 seconds.
Command Modes
Interface configuration
Command History
12.1(19)EW
Support for this command was introduced on the Catalyst 4500 series switch.
Usage Guidelines
You need to create an empty file at the configured URL on network-based URLs (such as TFTP and FTP) before the switch can write the set of bindings for the first time at the URL.
Note
Examples
This example shows how to store a database file with the IP address 10.1.1.1 within a directory called directory. A file named file must be present on the TFTP server.
Switch# config terminalSwitch(config)# ip dhcp snooping database tftp://10.1.1.1/directory/fileSwitch(config)# endSwitch# show ip dhcp snooping databaseAgent URL : tftp://10.1.1.1/directory/fileWrite delay Timer : 300 secondsAbort Timer : 300 secondsAgent Running : YesDelay Timer Expiry : Not RunningAbort Timer Expiry : Not RunningLast Succeded Time : NoneLast Failed Time : NoneLast Failed Reason : No failure recorded.Total Attempts : 1 Startup Failures : 0Successful Transfers : 0 Failed Transfers : 0Successful Reads : 0 Failed Reads : 0Successful Writes : 0 Failed Writes : 0Media Failures : 0Switch#Related Commands
ip dhcp snooping
ip dhcp snooping binding
ip dhcp snooping information option
ip dhcp snooping trust
ip dhcp snooping vlan
show ip dhcp snooping
show ip dhcp snooping bindingip dhcp snooping information option
To enable DHCP option 82 data insertion, use the ip dhcp snooping information option command. To disable DHCP option 82 data insertion, use the no form of this command.
ip dhcp snooping information option
no ip dhcp snooping information option
Syntax Description
This command has no arguments or keywords.
Defaults
DHCP option 82 data insertion is enabled.
Command Modes
Global configuration
Command History
12.1(12c)EW
Support for this command was introduced on the Catalyst 4500 series switch.
Examples
This example shows how to enable DHCP option 82 data insertion:
Switch(config)# ip dhcp snooping information optionSwitch(config)#This example shows how to disable DHCP option 82 data insertion:
Switch(config)# no ip dhcp snooping information optionSwitch(config)#Related Commands
ip dhcp snooping
ip dhcp snooping limit rate
ip dhcp snooping trust
ip dhcp snooping vlan
show ip dhcp snooping
show ip dhcp snooping bindingip dhcp snooping information option allow-untrusted
To allow DHCP packets with option 82 data inserted to be received from a snooping untrusted port, use the ip dhcp snooping information option allow-untrusted command. To disallow receipt of these DHCP packets, use the no form of this command.
ip dhcp snooping information option allow-untrusted
no ip dhcp snooping information option allow-untrusted
Syntax Description
This command has no arguments or keywords.
Defaults
DHCP packets with option 82 are not allowed on snooping untrusted ports.
Command Modes
Global configuration
Command History
12.2(25)EWA
Support for this command was introduced on the Catalyst 4500 series switch.
Examples
This example shows how to allow DHCP packets with option 82 data inserted to be received from a snooping untrusted port:
Switch# configure terminalEnter configuration commands, one per line. End with CNTL/Z.Switch(config)# ip dhcp snooping information option allow-untrustedSwitch(config)# endSwitch#Related Commands
ip dhcp snooping
ip dhcp snooping limit rate
ip dhcp snooping trust
ip dhcp snooping vlan
ip dhcp snooping information option
show ip dhcp snooping
show ip dhcp snooping bindingip dhcp snooping limit rate
To configure the number of the DHCP messages that an interface can receive per second, use the ip dhcp snooping limit rate command. To disable the DHCP snooping rate limiting, use the no form of this command.
ip dhcp snooping limit rate rate
no ip dhcp snooping limit rate
Syntax Description
Defaults
DHCP snooping rate limiting is disabled.
Command Modes
Interface configuration
Command History
12.1(12c)EW
Support for this command was introduced on the Catalyst 4500 series switch.
Usage Guidelines
Typically, the rate limit applies to the untrusted interfaces. If you want to set up rate limiting for the trusted interfaces, note that the trusted interfaces aggregate all DHCP traffic in the switch, and you will need to adjust the rate limit of the interfaces to a higher value.
